A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

TOP VULNERABILITY THIS WEEK: A pair of recent Adobe patches have closed
off vulnerabilities that were being exploited in the wild as targeted
0-days, with payloads that used a new technique to evade
operating-system level mitigations of ASLR and DEP.

- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for
program managers, control systems engineers, IT security professionals
and critical infrastructure protection specialists from asset owning and
operating organizations along with control systems and security vendors
who have innovative solutions for improving security. Every attendee
leaves with new tools and techniques they can put to work immediately.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentations include APT: It is Time to Act;
and Security of National eID (smartcard-based) Web Applications.http://www.sans.org/event/singapore-2013

Title: Huge Microsoft Tuesday Includes Low-Level TCP/IP DoS
Description: Microsoft this week issued a huge set of patches, closing
off 57 distinct CVEs in a total of 11 security notices. While many of
these vulnerabilities will likely prove difficult to exploit in the
wild, the VML memory corruption attack (CVE-2013-0030) is already being
used for information disclosure in targeted attacks. Most likely to
wreak havoc is the TCP/IP "Finshake" denial of service (CVE-2013-0075)
- - discussed on underground forums as Microsoft having "nick'd up the
stack" - which requires minimal attacker bandwidth and applies to any
Microsoft operating system, regardless of which services are made
available to the Internet. Administrators are urged to test and patch
their systems as rapidly as feasible, given the size of this release.
Reference:http://technet.microsoft.com/en-us/security/bulletin/ms13-018https://isc.sans.edu/diary/Microsoft+February+2013+Black+Tuesday+Update+-+Overview/15142
Snort SID: 25774
ClamAV: N/A

Title: Security Firm Bit9 Compromised
Description: After failing to install its own application whitelisting
product on all of its internal systems, security firm Bit9 revealed last
week that it had been compromised, and that intruders had used its
digital signing certificates to push malicious applications as if they
were trusted code. While the firm has responded promptly and is working
with all potentially impacted parties on cleanup, the compromise
reiterates the necessity of following internal security policy in all
circumstances, not just those where doing so is easy. Note that users
of Sourcefire's FireAMP technology are protected from these malicious
binaries through certificate revocation technology.
Reference:https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
Snort SID: N/A
ClamAV: N/A

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-0422
Title: Oracle Java SE Security Bypass Vulnerability
Vendor: Oracle
Description: Multiple vulnerabilities in Oracle Java 7 before Update 11
allow remote attackers to execute arbitrary code by (1) using the public
getMBeanInstantiator method in the JmxMBeanServer class to obtain a
reference to a private MBeanInstantiator object, then retrieving
arbitrary Class references using the findClass method, and (2) using the
Reflection API with recursion in a way that bypasses a security check
by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method
due to the inability of the sun.reflect.Reflection.getCallerClass method
to skip frames related to the new reflection API, as exploited in the
wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and
a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE:
some parties have mapped the recursive Reflection API issue to
CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose
details are not public as of 20130114. CVE-2013-0422 covers both the
JMX/MBean and Reflection API issues. NOTE: it was originally reported
that Java 6 was also vulnerable, but the reporter has retracted this
claim, stating that Java 6 is not exploitable because the relevant code
is called in a way that does not bypass security checks. NOTE: as of
20130114, a reliable third party has claimed that the
findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update
11. If there is still a vulnerable condition, then a separate CVE
identifier might be created for the unfixed issue.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

(c) 2013. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account